Regulations last checked for updates: Apr 27, 2025

Title 28 - Judicial Administration last revised: Apr 18, 2025
All TitlesTitle 28Chapter IPart 202Subpart B - Subpart B—Definitions
View all text of Subpart B [§ 202.201 - § 202.259]
§ 202.258 - Vendor agreement.

(a) Definition. The term vendor agreement means any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.

(b) Examples—(1) Example 1. A U.S. company collects bulk precise geolocation data from U.S. users through an app. The U.S. company enters into an agreement with a company headquartered in a country of concern to process and store this data. This vendor agreement is a restricted transaction.

(2) Example 2. A medical facility in the United States contracts with a company headquartered in a country of concern to provide IT-related services. The contract governing the provision of services is a vendor agreement. The medical facility has bulk personal health data on its U.S. patients. The IT services provided under the contract involve access to the medical facility's systems containing the bulk personal health data. This vendor agreement is a restricted transaction.

(3) Example 3. A U.S. company, which is owned by an entity headquartered in a country of concern and has been designated a covered person, establishes a new data center in the United States to offer managed services. The U.S. company's data center serves as a vendor to various U.S. companies to store bulk U.S. sensitive personal data collected by those companies. These vendor agreements are restricted transactions.

(4) Example 4. A U.S. company develops mobile games that collect bulk precise geolocation data and biometric identifiers of U.S.-person users. The U.S. company contracts part of the software development to a foreign person who is primarily resident in a country of concern and is a covered person. The contract with the foreign person is a vendor agreement. The software-development services provided by the covered person under the contract involve access to the bulk precise geolocation data and biometric identifiers. This is a restricted transaction.

(5) Example 5. A U.S. multinational company maintains bulk U.S. sensitive personal data of U.S. persons. This company has a foreign branch, located in a country of concern, that has access to this data. The foreign branch contracts with a local company located in the country of concern to provide cleaning services for the foreign branch's facilities. The contract is a vendor agreement, the foreign branch is a U.S. person, and the local company is a covered person. Because the services performed under this vendor agreement do not “involve access to” the bulk U.S. sensitive personal data, the vendor agreement would not be a covered data transaction.

authority: 50 U.S.C. 1701
source: 90 FR 1706, Jan. 8, 2025, unless otherwise noted.
cite as: 28 CFR 202.258
© 2014 CustomsMobile | Disclaimer | Privacy | About